Octo Tempest is a financially motivated cybercrime group that uses social engineering and identity compromise to gain initial access to environments, exploiting weaknesses in identity systems to steal data and deploy ransomware.
This group is particularly dangerous because it targets a wide range of businesses, uses native English speakers in its attacks, and is able to quickly adapt its tactics.
Organizations can mitigate the risks posed by Octo Tempest by implementing a response playbook focused on forensics and regaining control of their identity and access management systems.
Regaining administrative control of your Microsoft Entra ID environment after a compromise of the identity plane. Important steps include using Break Glass accounts for emergency access, switching federated authentication from federated to managed to prevent further token creation by an attacker, and reviewing service principals to remove unnecessary permissions to ensure they cannot be abused for persistence.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
To secure access to Microsoft Entra ID resources, implement conditional access policies that require multi-factor authentication (MFA) for all users, require phishing-resistant MFA especially for administrators, block traditional authentication protocols, and enforce password changes for high-risk users.
Additionally, implement user risk-based conditional access policies to validate suspicious sign-ins, isolate cloud administrator accounts, and restrict password reset/MFA operations to authorized personnel.
In the event of a security incident, revoke old admin privileges and create new secured accounts with modern MFA and device-bound passkeys.
Immediate action is required to mitigate the impact of an Octo Tempest intrusion within your Azure environment.
Review and analyze changes to Network Security Groups (NSGs), Azure Firewall rules, and Azure management group and subscription access controls to identify and remove malicious changes.
Implement Intune Multi-Administrator Approval (MAA) to enforce two-person approval for critical actions and prevent further damage.
Investigate all MFA registrations during the compromise period, prepare for re-registration of any compromised accounts, review on-premises Active Directory, and consider a full forest recovery if necessary.
If an administrative account is compromised, isolate the domain controller, sanitize the active directory, and rebuild the forest.
Finally, investigate access to key vaults and secret servers to identify and rotate any compromised credentials.
Microsoft Recommendation Use the AD tiering model as an interim measure to mitigate Pass-the-Hash attacks in an on-premise active environment
Directory environments are easier to implement than more comprehensive enterprise access models (EAMs) and provide practical guidance.
Tiering involves creating separate privileged accounts for different access levels and ensuring control plane isolation.
After a potential breach occurs, account disposals include password resets, account disabling, access control reviews, and mass password resets.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free